Following criticism of ASIC in the Senate Economics Committee report on ASIC’s performance (particularly in relation to CBA and Macquarie), ASIC has announced a review of the timeliness of breach reporting by Australian financial services (AFS) licensees under section 912D Corporations Act.
Section 912D(1B) requires a financial services licensee to self-report a significant breach or likely significant breach of its AFS licence obligations to ASIC as soon as practicable and in any case within 10 business days after becoming aware of it.
What does “becoming aware of it” mean?
In ASIC’s opinion, a licensee should not wait until after it has completed a full investigation to satisfy itself that the breach or likely breach is significant.
ASIC has recently written to the Institute of Internal Auditors Australia to highlight the issue of timing, in response to a letter from IIAA to ASIC.
According to ASIC Deputy Chairman Peter Kell:
“By all means, firms should consider what they may need to do to rectify a breach. However, they should not wait until then to report to the regulator. We have seen instances where efforts to rectify a breach, even if well intentioned, have taken so long that they have compromised ASIC’s ability to investigate and take action once the incident was finally reported. This is a highly undesirable outcome for both the regulator and the financial services sector….
When does a licensee become aware of a breach?
In our view, this is when a person responsible for compliance becomes aware of the breach or likely breach. We expect a licensee’s internal systems to ensure that the relevant people become aware of breaches in a timely and efficient manner.The bottom line is: if in doubt, report the breach to ASIC. Err on the side of caution. We are happy to work with licensees who take their breach reporting obligation seriously.
Not reporting significant breaches is, of itself, likely to be a breach of the breach reporting requirement. It indicates that a licensee’s compliance arrangements may be inadequate.”
This is not to say that licensees should not obtain advice on the significance of a breach. The question whether a breach is significant is an important pre-condition to reporting to ASIC.
Regulatory Guide 78.15 sets out examples of breaches that ASIC may consider as significant:
- failure to maintain professional indemnity insurance;
- failure to prepare cash flow projections
- previously undetected breaches;
- representatives give inappropriate financial product advice;
- representatives operate outside the scope of licence authorisations; and
- fraud in the supply of financial services.
Regulatory Guide 78 Breach reporting by AFS licensees (RG 78) states that the reporting period starts on the day the AFS licensee becomes aware of a breach or likely breach that it considers could be significant.
The note to RG 78.28 states: “In providing up to 10 days to report a breach, the law allows you to make a genuine attempt to find out what has happened and decide whether the breach is significant. In responding to a breach notification, we will take into account any delays or obfuscation in reporting.”
To ensure you comply with the breach reporting requirement on a timely and consistent basis, you should have a clear, well-understood and documented process for:
- identifying breaches or likely breaches;
- ensuring that the people responsible for compliance are aware of those breaches;
- determining whether identified breaches are significant;
- reporting to ASIC those breaches or likely breaches that are significant;
- rectifying the breach or likely breach; and
- ensuring that arrangements are in place to prevent the recurrence of the breach.
Bright Law can help you review your compliance framework, including breach reporting procedures and the role of the board, legal advisers and other consultants.